Random Hack

Friday, July 13, 2018

In my previous post, I talked about how you can set up a local DNS resolver using a Raspberry Pi and how that device can utilize DNSSEC to validate the integrity of domain records as they pass through the intenets. In this post, I would like to share with you my experience in configuring randomhack.com's DNS provider and registrar to support the feature.

As you can see from the short video, the process is relatively straightforward. Cloudflare.com does a pretty good job of making the setup easy. If I have time over the weekend I'll run through the same process on my Google Cloud DNS to compare.

Thursday, July 5, 2018

So I recently set up a spare Raspberry Pi at my house in order to act as a local DNS server which blocks requests based on ad-lists and rules. The software that does this is called, appropriately, Pi-Hole and is fully open source. This has been great because it works across all devices on the network without having to install ad-blockers on each device.

After running this setup for a while and having it use the standard Google Public DNS servers at 8.8.8.8, I found an article about a new public DNS service hosted by CloudFlare on 1.1.1.1, which is a much faster server. Instead of responses in and around the 30-50ms range, the CloudFlare DNS server typically resolves hosts around 11-20ms, or almost twice as fast!

In addition to changing the Pi-Hole software to use this DNS resolver, I read that the CloudFlare DNS server is also offering DNS over HTTPS. (Google Also offers this service) This is great because normal DNS queries are sent unencrypted, meaning anyone on the network between you and the resolver can eavesdrop on your requests and log which sites and services you are visiting with minimal effort. In addition, some Internet Service Providers have even gone so far as to modify the DNS responses to some sites in order to inject ads into your browsing experience!! (pure evil, IMHO)

In order to protect against this type of hijacking and eavesdropping, you can encrypt and send your DNS requests using the HTTPS protocol. The same protocol which protects secure web sites like your bank from being intercepted and read while they travel over the internet.

The guide that I used for configuring the DNS over HTTPS proxy can be found here:

Another benefit of using Pi-Hole is that it supports DNSSEC, which everyone should be using. DNSSEC adds signature verification to detect and prevent tampering with the records in transit. It's an extra layer of protection to the HTTPS protocol and it's supported by the Pi-Hole. (just make sure to turn it on, as it's off by default!)

Friday, December 2, 2016

Plex announced a few days ago that they are releasing a fully supported plugin for Kodi. This is great and also kind of funny because they both spawned from the same Open Source roots. Over 10 years ago now, those of us with modded Xbox consoles were happy to use Xbox Media Center (XBMC) as an app to turn our game consoles into very powerful media players. The project became so popular that XBMC was ported to Linux and other operating systems. They actually kept the XBMC name for a while until recently changing the name to Kodi.

Kodi has become more popular in the past few years for nefarious reasons, as it is also a popular platform for streaming pirated content from the internet. In addition to Kodi's many features as a media player, Kodi can provide a pretty front end for many advanced Add-Ons that are written using Python. Many people have written specialized add-ons that will scrape internet sources for file share sites that have copies of pirated television and movies. These sites are often filled with malware and ads and are dangerous to use directly. The add-on developers have basically done all of the dirty work for you so that you can easily search and stream from these online sources. That's all well and good, but anyone who has used these Add-Ons will tell you that the scraping process is extremely slow and many of the streams are sub-par quality with subtitles from different languages often burned into your videos.

Why would you want to run Plex within Kodi? Isn't that superfluous since they both are basically media players? One reason is to use Kodi's built in AirPlay server to stream content from your Apple Devices, while watching a movie in Plex. Another is the vast array of customization that Kodi allows within it's interface. You also might be a Python developer and want the ability to program your own custom Add-Ons. Now you don't have to close Kodi in order to run Plex. It's definitely a welcome change and I would consider it a Win-Win for both Plex and Kodi users.

Friday, November 18, 2016

Google Cloud DNS

So a few months ago I decided to stop paying over $25 a year for DNS hosting from my old provider, DynDNS, and move to something a little cheaper. The first place I choose to look was Google hosted DNS. This Google Cloud DNS service runs on the Google Compute Engine and was immensely cheap at $0.60 per month.

Update: Google Cloud DNS is also well positioned to handle DDoS attacks with their massive infrastructure. Depending on the size of the attack, (number of queries) you may be charged a bit extra for absorbing all of that traffic. Although judging from these very low costs per BILLION hits, I don't think it would be very much of a worry. Also, for the security conscious administrators out there, Cloud DNS also has Alpha support for DNSSEC, along with the industry standard RSA. You can sign up for the Alpha here: https://groups.google.com/d/msg/cloud-dns-discuss/WXNHtB9W0bg/5xf6RXLdCQAJ

Cloudflare Managed DNS

Then this week I found out about Cloudflare. I've heard of them and seen in the news how they can protect web sites from DDoS attacks. I thought it was just a gateway of some sort. Now that I have visited their site I am a little more informed. Not only are they a managed DNS provider but they are a global CDN that has many security and optimization features. Best of all, they have a free tier that includes managed DNS and a handful of their most popular services. I really dig the fact I was given a free auto-renewing wildcard SSL certificate for my site. Check them out if you're looking for a free and feature packed option.

Update: Cloudflare also supports DNSSEC using ECDSA and NSEC with white lies. I hear through the grapevine that this works most of the time, but some resolvers might not support this method. It should definitely be taken into consideration before rolling DNSSEC into production.

Also, digging a little deeper into the limitations of the free DDoS protection for your website. They are a little vague as to the specifics, saying "Basic DDoS protection is limited in our Free and Pro plans, and based on the attack's disturbance to our network." So who knows what the limit is!